Improper Control of Generation of Code in Twig Rendered Views in Shopware
Description
Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in Shopware\Core\Framework\Adapter\Twig\SecurityExtension and call any arbitrary PHP function and thus execute arbitrary code/commands via usage of fully-qualified names, supplied as array of strings, when referencing callables. Users are advised to upgrade to v6.4.20.1 to resolve this issue. This is a bypass of CVE-2023-22731.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Shopware 6 SSTI vulnerability allows attackers with Twig access to bypass validation and execute arbitrary PHP functions, leading to remote code execution.
Vulnerability
Overview CVE-2023-2017 is a server-side template injection (SSTI) vulnerability in Shopware 6 affecting versions up to 6.4.20.0 and 6.5.0.0-rc1 through 6.5.0.0-rc4. It bypasses the previous fix for CVE-2023-22731 [1]. The root cause is an incomplete validation in Shopware\Core\Framework\Adapter\Twig\SecurityExtension, which fails to properly restrict fully-qualified names supplied as arrays of strings when referencing callables [2].
Exploitation
An attacker with access to a Twig environment without the Sandbox extension (e.g., admin panel access) can craft a malicious template using fully-qualified PHP class names. By supplying callables as arrays, the attacker bypasses the security checks and invokes arbitrary PHP functions [1][2]. The attack requires low privileges (e.g., admin login) and no user interaction [2].
Impact
Successful exploitation allows the attacker to call any PHP function, leading to complete compromise of the server, including data theft, modification, or denial of service. The CVSS score is 8.8 (High) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [2].
Mitigation
Shopware has released version 6.4.20.1, which fixes the vulnerability [4]. Users are strongly advised to upgrade immediately. There is no workaround available [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
shopware/platformPackagist | < 6.4.20.1 | 6.4.20.1 |
shopware/corePackagist | < 6.4.20.1 | 6.4.20.1 |
Affected products
3- ghsa-coords2 versions
< 6.4.20.1+ 1 more
- (no CPE)range: < 6.4.20.1
- (no CPE)range: < 6.4.20.1
- Shopware AG/Shopware 6v5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2023ghsavendor-advisoryWEB
- github.com/advisories/GHSA-7v2v-9rm4-7m8fghsaADVISORY
- github.com/shopware/platform/security/advisories/GHSA-7v2v-9rm4-7m8fghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-2017ghsaADVISORY
- starlabs.sg/advisories/23/23-2017/mitrethird-party-advisory
- github.com/shopware/platform/releases/tag/v6.4.20.1ghsaWEB
- github.com/shopware/shopware/security/advisories/GHSA-7v2v-9rm4-7m8fghsaWEB
- starlabs.sg/advisories/23/23-2017ghsaWEB
News mentions
0No linked articles in our index yet.